Data breaches have become a fact of life along with death and taxes. What is required of CISOs and heads of information security is to manage the risks associated with a cybersecurity incident. A basic principle of risk mitigation is to spread the risk through a cyber insurance product just as you would with an auto or home insurance product. However, internet-based or cyber risks have not traditionally been included in commercial general liability policies. The reality is, as organizations are faced with the reality of data breaches through well-publicized events such as the Yahoo! and Ashley Madison hacks, corporate hacking insurance is surging.
Indeed, the cyber insurance market is currently growing at a rate of between 25 and 35 percent per year. The U.S. insurance industry alone collected $2.75 billion in cyber insurance premiums in 2015. The sector was worth less than a billion dollars worldwide in 2012, topped $2 billion in 2015 and could triple by 2020 (see this report from the SANS Institute).
Cyber insurance should become common coverage for all businesses, with the condition that premiums reflect actual risks. Less than 20% of the organizations targeted by hackers in 2016 were large organizations. In fact, smaller organizations with less than $1 million in annual revenue accounted for the largest percentage of the losses. The PartnerRe Cyber Insurance Survey has noted a growing demand for cyber insurance coverage beyond regulated industries. The requirement to purchase insurance by customers and other third parties, is increasingly driving the market.
The most common coverage required by organizations is data breach crisis management, which can include expenses related to the management of the incident, the investigation, the remediation, data subject notification, call management, credit checking for affected users, legal costs and regulatory fines. Mandatory notifications laws and associated costs are playing an important role in the decision of acquiring cyber liability insurance coverage. In addition, with the growth of ransomware in recent years, cyber extortion has motivated organizations to reduce their monetary risk through insurance vehicles. Other risks that are often comprised in policies are funds transfer fraud, cyber-related contingent business interruption and data restoration.
Many experts report a lack of consistency between the coverage offered by various insurers. There are also divergences between the language of cyber security and wording in cyber insurance policies. Some situations are still ambiguous, such as whether a bodily injury or property damage resulting for a cyber-related cause of loss should be covered by a company’s cyber insurance or general insurance. When reading a policy, it’s important to carefully read the definitions of terms such as “hackers”, “attacks” or “incidents” and “breach” to understand when your coverage is triggered.
To add to the confusion, brokers are still unable to grasp the technical aspects of information security. Consequently, it often falls on the CISO to determine the costs or expenses as well as the types of incidents that should be covered. The right policy will depend on the type of business, the business model, the industry, the size, the risk exposure and the security posture of the organization. However, the numbers of records with personal information and/or sensitive commercial information that are retained by your organization will be the most heavily weighted variable of any policy.
It is common for insurance policies to require state-of-the-art data encryption. Make sure that you understand the requirements and that it is feasible within your business model because an insurer could refuse to cover your organization for any data breaches or cyberattacks that are the result of unencrypted data or devices.
Some insurers will help you manage the data breach incident, such as through third-party suppliers. The importance of this depends on your incident response capabilities. Unfortunately, too many organizations are still at a loss of how to react after experiencing a data breach.
Insurance policies have a set of exclusions that often include limitations, such as when the data are stolen by an authorized person. Keep in mind that human error is the leading cause of cyber incidents (more information here).
Verizon’s 2016 Data Breach Investigations Report demonstrated that close to a quarter of events were discovered in a matter of “days or less”. This is an improvement from previous years, however, the majority of data breaches that are not discovered immediately and the “dwell time” or time that malware is undiscovered has increased for the other three quarters of attacks.
For instance, will a claim be refused if an organization is processing data that may contravene with the laws of one country and not the other? What if, in the context of the Personal Information Protection and Electronic Documents Act (PIPEDA), the Privacy Commissioner states that an organization did not have ‘reasonable safeguards’ in place to protect the personal information? What if you are not compliant with non-mandatory standards? Indeed, some insurance companies will require demonstration of conformity with specific sets of standards.
Indeed, only 48% of CISOs and security professionals find cyber-insurance ‘adequate’ when recovering from a breach. Make sure to understand your policy, obtain the right coverage, and to make cyber insurance a critical and integrated aspect of a wider cyber-security strategy.
Do you want to make the best of your cyber liability insurance? If so, read the second part of this blog to discover how you can reduce your cyber insurance premium with an effective cybersecurity.